From: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: Fri, 4 Jun 2021 12:34:30 +0000 (+0400)
Subject: tftp: check tftp_input buffer size
X-Git-Tag: upstream/4.2.1~6
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e3c4be09b917be690f83917ec0467650c31efb58;p=tools%2Fqemu-arm-static.git

tftp: check tftp_input buffer size

Git-commmit: 3f17948137155f025f7809fdc38576d5d2451c3d
References: bsc#1187366, CVE-2021-3595

Fixes: CVE-2021-3595
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---

diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
index c20914528..5a6279396 100644
--- a/slirp/src/tftp.c
+++ b/slirp/src/tftp.c
@@ -444,7 +444,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
 
 void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
 {
-    struct tftp_t *tp = (struct tftp_t *)m->m_data;
+    struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
+
+    if (tp == NULL) {
+        return;
+    }
 
     switch (ntohs(tp->tp_op)) {
     case TFTP_RRQ: